* Wed Apr 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-124

- Add more restriction on entrypoint for unconfined domains.

policy-rawhide-base.patch

@@ -16174,7 +16174,7 @@ index 8416beb..19d6aba 100644
 +	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
 +')
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..3ed4189 100644
+index e7d1738..6ac60c3 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
 @@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -16308,6 +16308,19 @@ index e7d1738..3ed4189 100644
  
  ########################################
  #
+@@ -301,9 +322,10 @@ fs_associate_noxattr(noxattrfs)
+ # Unconfined access to this module
+ #
+ 
+-allow filesystem_unconfined_type filesystem_type:filesystem *;
++allow filesystem_unconfined_type filesystem_type:filesystem all_filesystem_perms;
+ 
+ # Create/access other files. fs_type is to pick up various
+ # pseudo filesystem types that are applied to both the filesystem
+ # and its files.
+-allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
++allow filesystem_unconfined_type filesystem_type:{ file } ~entrypoint;
++allow filesystem_unconfined_type filesystem_type:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
 diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
 index 7be4ddf..9710b33 100644
 --- a/policy/modules/kernel/kernel.fc
@@ -17578,7 +17591,7 @@ index e100d88..991e1a5 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..96d9a91 100644
+index 8dbab4c..15c063c 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -17865,7 +17878,23 @@ index 8dbab4c..96d9a91 100644
  ########################################
  #
  # Unlabeled process local policy
-@@ -409,4 +496,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -399,14 +486,39 @@ if( ! secure_mode_insmod ) {
+ # Rules for unconfined acccess to this module
+ #
+ 
+-allow kern_unconfined proc_type:{ dir file lnk_file } *;
++allow kern_unconfined proc_type:{ file } ~entrypoint;
++allow kern_unconfined proc_type:{ dir lnk_file } *;
+ 
+-allow kern_unconfined sysctl_type:{ dir file } *;
++allow kern_unconfined sysctl_type:{ file } ~entrypoint;
++allow kern_unconfined sysctl_type:{ dir } *;
+ 
+ allow kern_unconfined kernel_t:system *;
+ 
+-allow kern_unconfined unlabeled_t:dir_file_class_set *;
++allow kern_unconfined unlabeled_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
++allow kern_unconfined unlabeled_t:file ~entrypoint;
  allow kern_unconfined unlabeled_t:filesystem *;
  allow kern_unconfined unlabeled_t:association *;
  allow kern_unconfined unlabeled_t:packet *;

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 123%{?dist}
+Release: 124%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -602,7 +602,10 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
-* Wed Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
+* Wed Apr 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-124
+- Add more restriction on entrypoint for unconfined domains.
+
+* Tue Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
 - Allow abrtd to list home config. BZ(1199658)
 - Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
 - Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)